Institutions such as banks and retail establishments often conduct business electronically, for example, through the use of the internet. Thus, such institutions and their customers require a secure environment that has the capability of managing cryptographic keys. Cryptographic keys are one form of information technology security.
Examples of cryptographic keys include symmetric keys and asymmetric keys. Symmetric keys may be used, for example, for encryption of data. Symmetric encryption involves using a single shared key among all users communicating with one another. A message is locked (encrypted) with a key and then the same key is used to unlock (decrypt) the message. In order to protect a message when using symmetric encryption, it is vital to have a secure method to exchange the secret key to all users.
Asymmetric keys may be used, for example, for both encryption and authentication. Asymmetric encryption involves using a key pair to secure information. A key pair is comprised of a private key (decryption key), which is known only to a single user or a limited group of users, and a public key (encryption key), which may be known by anyone. In order to encrypt and decrypt a message, both the private key and public key of the key pair must be used. For example, a message will be encrypted by a sender using the public key of the intended recipient of the message. Once the recipient receives the encrypted message, his or her private key is used to decrypt the message.
A problem with the use of symmetric keys is that they must be changed or rotated periodically because they become more vulnerable to attack the more they are used. However, even the use of asymmetric keys (such as private keys, public keys, and certificates) requires a change control and in most instances requires an application to be recycled to pick up a new key. In current systems, all keys whether symmetric or asymmetric are rotated manually. The manual key delivery process is insecure and error prone. There is also need for a cryptographic key management system that supports asymmetric keys used for rotation as well as asymmetric keys used for authentication such as with a certificate authority.
There is also a need for a system that provides a simple and secure way for both middleware and mainframe applications to automatically store and retrieve keys. The term “middleware application” refers to a non-mainframe application (web-app, web-service, and the like), such as a log in application for authenticating users. The term “mainframe application” refers to an application residing on a mainframe, such as a credential managers that might be called by the log in application to validate a password.
Thus, the need exists for a simple and secure system that provides all of the functionality and security features described above, but also includes automated key distribution and rotation that is suitable for both symmetric and asymmetric keys without data, performance, or functionality loss. There is also a need for a computer or software application to securely obtain and rotate keys for use with secure communication with partner applications.